Merge develop to master

.github/dependabot.yml

@@ -0,0 +1,24 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "maven"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "java"
+      - "dependencies"
+  - package-ecosystem: "npm"
+    allow:
+      - dependency-type: "direct"
+    directory: "/powerauth-webflow"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "npm"
+      - "dependencies"

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,22 @@
+name: "CodeQL"
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ 'develop', 'master', 'releases/**' ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ 'develop', 'master', 'releases/**' ]
+  schedule:
+    - cron: '0 2 * * 4'
+
+jobs:
+  codeql-analysis:
+    uses: wultra/wultra-infrastructure/.github/workflows/codeql-analysis.yml@develop
+    secrets: inherit
+    with:
+      languages: "['java', 'javascript']"
+      # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+      # Use only 'java' to analyze code written in Java, Kotlin or both
+      # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+      # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

.run/NextStepApplication.run.xml

@@ -1,10 +1,12 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="NextStepApplication" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
+    <option name="ACTIVE_PROFILES" value="dev" />
     <module name="powerauth-nextstep" />
     <option name="SPRING_BOOT_MAIN_CLASS" value="io.getlime.security.powerauth.app.nextstep.NextStepApplication" />
     <option name="VM_PARAMETERS" value="-Dserver.servlet.context-path=/powerauth-nextstep -Dserver.port=9082" />
     <method v="2">
       <option name="Make" enabled="true" />
+      <option name="Maven.BeforeRunTask" enabled="true" file="$PROJECT_DIR$/powerauth-nextstep/pom.xml" goal="process-resources" />
     </method>
   </configuration>
 </component>

.run/PowerAuthWebFlowApplication.run.xml

@@ -1,10 +1,12 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="PowerAuthWebFlowApplication" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot" nameIsGenerated="true">
+    <option name="ACTIVE_PROFILES" value="dev" />
     <module name="powerauth-webflow" />
     <option name="SPRING_BOOT_MAIN_CLASS" value="io.getlime.security.powerauth.app.webflow.PowerAuthWebFlowApplication" />
     <option name="VM_PARAMETERS" value="-Dserver.servlet.context-path=/powerauth-webflow -Dserver.port=9080" />
     <method v="2">
       <option name="Make" enabled="true" />
+      <option name="Maven.BeforeRunTask" enabled="true" file="$PROJECT_DIR$/powerauth-webflow/pom.xml" goal="process-resources" />
     </method>
   </configuration>
 </component>

.run/TppEngineApplication.run.xml

@@ -1,10 +1,12 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="TppEngineApplication" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
+    <option name="ACTIVE_PROFILES" value="dev" />
     <module name="powerauth-tpp-engine" />
     <option name="SPRING_BOOT_MAIN_CLASS" value="io.getlime.security.powerauth.app.tppengine.TppEngineApplication" />
     <option name="VM_PARAMETERS" value="-Dserver.servlet.context-path=/tpp-engine -Dserver.port=9081" />
     <method v="2">
       <option name="Make" enabled="true" />
+      <option name="Maven.BeforeRunTask" enabled="true" file="$PROJECT_DIR$/powerauth-tpp-engine/pom.xml" goal="process-resources" />
     </method>
   </configuration>
 </component>

README.md

@@ -1,8 +1,8 @@
-# PowerAuth 2.0 Web Flow
+# PowerAuth Web Flow
 
-PowerAuth 2.0 Web Flow is a federated authentication and authorization server for web application. It allows user authentication and operation authorization using OAuth 2.0 protocol, and it supports multiple authentication methods, such as username / password combination, PowerAuth 2.0 data signature or SMS OTP.
+PowerAuth Web Flow is an authentication and authorization server for web applications. It allows user authentication and operation authorization using OAuth 2.1 protocol, and it supports multiple authentication methods, such as username / password verification, PowerAuth data signature verification (both online and offline), and OTP code verification. Web Flow supports multi-factor authentication and enforces Strong Customer Authentication (SCA) when required by the use case, e.g. in case of protection of PSD2 APIs.
 
-Typical use-case for the software stack is securing the RESTful API interfaces, or authentication / authorization for internet banking via central authentication / authorization component.
+The typical use-case for the software stack is securing RESTful API interfaces, or authentication / authorization for internet banking via a central authentication / authorization component.
 
 ## Documentation
 

doc-private/Developer-How-To-Start.md

@@ -11,6 +11,19 @@
 - Open [http://localhost:9080/powerauth-webflow/actuator/health](http://localhost:9080/powerauth-webflow/actuator/health) and you should get `{"status":"UP"}`
 
 
+### Database
+
+Database changes are driven by Liquibase.
+
+This is an example how to manually check the Liquibase status.
+Important and fixed parameter is `changelog-file`.
+Others (like URL, username, password) depend on your environment.
+
+```shell
+liquibase --changelog-file=./docs/db/changelog/changesets/powerauth-webflow/db.changelog-module.xml --url=jdbc:postgresql://localhost:5432/powerauth --username=powerauth --hub-mode=off status
+```
+
+
 ## TPP Engine
 
 
@@ -21,6 +34,19 @@
 - Open [http://localhost:9081/tpp-engine/actuator/health](http://localhost:9081/tpp-engine/actuator/health) and you should get `{"status":"UP"}`
 
 
+### Database
+
+Database changes are driven by Liquibase.
+
+This is an example how to manually check the Liquibase status.
+Important and fixed parameter is `changelog-file`.
+Others (like URL, username, password) depend on your environment.
+
+```shell
+liquibase --changelog-file=./docs/db/changelog/changesets/powerauth-tpp-engine/db.changelog-module.xml --url=jdbc:postgresql://localhost:5432/powerauth --username=powerauth --hub-mode=off status
+```
+
+
 ## NextStep
 
 
@@ -31,6 +57,29 @@
 - Open [http://localhost:9082/powerauth-nextstep/actuator/health](http://localhost:9082/powerauth-nextstep/actuator/health) and you should get `{"status":"UP"}`
 
 
+### Database
+
+Database changes are driven by Liquibase.
+
+This is an example how to manually check the Liquibase status.
+Important and fixed parameter is `changelog-file`.
+Others (like URL, username, password) depend on your environment.
+
+```shell
+liquibase --changelog-file=./docs/db/changelog/changesets/powerauth-nextstep/db.changelog-module.xml --url=jdbc:postgresql://localhost:5432/powerauth --username=powerauth --hub-mode=off status
+```
+
+When all user identities are stored in Next Step, add foreign keys for user identity manually (they are not part of liquibase changesets).
+
+```sql
+-- Foreign keys for user identity, to be used only when all user identities are stored in Next Step
+ALTER TABLE ns_operation ADD CONSTRAINT ns_operation_user_fk FOREIGN KEY (user_id) REFERENCES ns_user_identity (user_id);
+ALTER TABLE ns_user_prefs ADD CONSTRAINT ns_user_prefs_fk FOREIGN KEY (user_id) REFERENCES ns_user_identity (user_id);
+ALTER TABLE ns_otp_storage ADD CONSTRAINT ns_otp_user_fk FOREIGN KEY (user_id) REFERENCES ns_user_identity (user_id);
+ALTER TABLE ns_authentication ADD CONSTRAINT ns_auth_user_fk FOREIGN KEY (user_id) REFERENCES ns_user_identity (user_id);
+```
+
+
 ## Webflow Client
 
 

docs/Basic-Definitions.md

@@ -66,7 +66,7 @@ but this has not generally been true for Internet transactions across the EU pri
 
 ### Operation
 
-A new operation is created in the Next Step application with every authentication process in Web Flow. The operation is mapped 1:1 to the OAuth 2.0 dance.
+A new operation is created in the Next Step application with every authentication process in Web Flow. The operation is mapped 1:1 to the OAuth 2.1 dance.
 
 There are two possible outcomes of an operation:
 - **Operation succeeds** - the HTTP session becomes authenticated and the user is redirected to the original application with a successful result
@@ -270,9 +270,9 @@ The effective number of remaining attempts is the lower of the two above mention
 ### HTTP session
 
 The HTTP session is used in Web Flow in following ways:
-- A client may create an operation with operation data before the OAuth 2.0 authentication is started and store assigned operationId in HTTP session in the `operationId` attribute. This attribute is picked when authentication is started and Web Flow continues an already existing operation. In case the `operationId` attribute is not found, Web Flow creates a new login operation with default operation data.
-- During the authentication process, the `PENDING_AUTH_OBJECT` attribute stored in HTTP session is updated with OAuth 2.0 `UserOperationAuthentication` token which contains the most current state of authentication.
-- When the authentication process is successfully completed, the HTTP session becomes authenticated with the OAuth 2.0 `UserOperationAuthentication` token.
+- A client may create an operation with operation data before the OAuth 2.1 authentication is started and store assigned operationId in HTTP session in the `operationId` attribute. This attribute is picked when authentication is started and Web Flow continues an already existing operation. In case the `operationId` attribute is not found, Web Flow creates a new login operation with default operation data.
+- During the authentication process, the `PENDING_AUTH_OBJECT` attribute stored in HTTP session is updated with OAuth 2.1 `UserOperationAuthentication` token which contains the most current state of authentication.
+- When the authentication process is successfully completed, the HTTP session becomes authenticated with the OAuth 2.1 `UserOperationAuthentication` token.
 - When the authentication process fails, the `PENDING_AUTH_OBJECT` attribute is removed from HTTP session. The HTTP session does not become authenticated.
 
 The HTTP session is also used for storing temporary data during operation.

docs/Components.md

@@ -64,10 +64,10 @@ Data Adapter handles following use cases:
 - verify OTP authorization code from SMS
 - authenticate user using user ID, password and OTP authorization code
 - verify a client TLS certificate
-- initialize OAuth 2.0 consent form
-- create OAuth 2.0 consent form
-- validate OAuth 2.0 consent form options
-- save OAuth 2.0 consent form options
+- initialize OAuth 2.1 consent form
+- create OAuth 2.1 consent form
+- validate OAuth 2.1 consent form options
+- save OAuth 2.1 consent form options
 - execute an anti-fraud system (AFS) action and react on response from AFS
 
 For more information see the [Web Flow customization project](https://github.com/wultra/powerauth-webflow-customization)
@@ -76,7 +76,7 @@ For more information see the [Web Flow customization project](https://github.com
 
 Third Party Provider (TPP) Engine implements following functionality:
 - third party provider registry
-- storage of OAuth 2.0 consents
+- storage of OAuth 2.1 consents
 
 TPP Engine is available as a separate application and its deployment is optional.
 

docs/Configuring-Next-Step.md

@@ -12,7 +12,7 @@ Following authentication methods are available:
 - `POWERAUTH_TOKEN` - user authorizes the operation using PowerAuth mobile token
 - `SMS_KEY` - user authorizes the operation using SMS message with OTP
 - `APPROVAL_SCA` - operation approval with either mobile token or SMS and password supporting strong customer authentication 
-- `CONSENT` - OAuth 2.0 consent form with options to approve by the user
+- `CONSENT` - OAuth 2.1 consent form with options to approve by the user
 - `OTP_CODE` - a generic OTP code authentication method which may be delivered by other channel than SMS
 
 The following parameters can be configured:
@@ -54,30 +54,6 @@ VALUES ('OTP_CODE', 10, 0, NULL, NULL, 1, 3, 1, 0, 'method.otpCode');
 
 ```
 
-MySQL:
-```sql
-INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key)
-VALUES ('INIT', 1, FALSE, NULL, NULL, FALSE, NULL, FALSE, FALSE, NULL);
-INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key)
-VALUES ('USER_ID_ASSIGN', 2, FALSE, NULL, NULL, FALSE, NULL, FALSE, FALSE, NULL);
-INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key)
-VALUES ('USERNAME_PASSWORD_AUTH', 3, FALSE, NULL, NULL, TRUE, 5, TRUE, FALSE, 'method.usernamePassword');
-INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key)
-VALUES ('SHOW_OPERATION_DETAIL', 4, FALSE, NULL, NULL, FALSE, NULL, TRUE, FALSE, 'method.showOperationDetail');
-INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key)
-VALUES ('POWERAUTH_TOKEN', 5, TRUE, 1, FALSE, TRUE, 5, TRUE, TRUE, 'method.powerauthToken');
-INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key)
-VALUES ('SMS_KEY', 6, FALSE, NULL, NULL, TRUE, 5, TRUE, FALSE, 'method.smsKey');
-INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key)
-VALUES ('CONSENT', 7, FALSE, NULL, NULL, TRUE, 5, TRUE, FALSE, 'method.consent');
-INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key)
-VALUES ('LOGIN_SCA', 8, FALSE, NULL, NULL, TRUE, 5, TRUE, TRUE, 'method.loginSca');
-INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key)
-VALUES ('APPROVAL_SCA', 9, FALSE, NULL, NULL, TRUE, 5, TRUE, TRUE, 'method.approvalSca');
-INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key)
-VALUES ('OTP_CODE', 10, FALSE, NULL, NULL, TRUE, 3, TRUE, FALSE, 'method.otpCode');
-```
-
 PostgreSQL:
 ```sql
 INSERT INTO ns_auth_method (auth_method, order_number, check_user_prefs, user_prefs_column, user_prefs_default, check_auth_fails, max_auth_fails, has_user_interface, has_mobile_token, display_name_key)
@@ -111,11 +87,6 @@ Oracle:
 INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('DEFAULT', null, 1, 1);
 ```
 
-MySQL:
-```sql
-INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('DEFAULT', null, TRUE, 1);
-```
-
 The default configuration assigns the `DEFAULT` organization to all operations. You can define multiple organizations to support
 authentication for multiple segments which can have overlapping user IDs, e.g.:
 
@@ -125,12 +96,6 @@ INSERT INTO ns_organization (organization_id, display_name_key, is_default, orde
 INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('SME', 'organization.sme', 0, 2);
 ```
 
-MySQL:
-```sql
-INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('RETAIL', 'organization.retail', TRUE, 1);
-INSERT INTO ns_organization (organization_id, display_name_key, is_default, order_number) VALUES ('SME', 'organization.sme', FALSE, 2);
-```
-
 Such configuration defines two organizations `RETAIL` and `SME`. The user sees two tabs when authenticating with localized labels
 based on keys `organization.retail` and `organization.sme`. The user can switch the organization against which the authentication is performed.
 The `RETAIL` organization is the default one (it is preselected in the UI). The order of displayed organizations is defined as
@@ -210,8 +175,8 @@ The credential policy requires following configuration:
 - `username_allowed_pattern` - regular expression for checking the username pattern, use `NULL` value for no check
 - `credential_length_min` - minimum length of the credential, use `NULL` value for no limit
 - `credential_length_max` - maximum length of the credential, use `NULL` value for no limit
-- `limit_soft` - soft limit for failed authentication attempts using credential (credential status `BLOCKED_TEMPORARY` when limit is exceeded), use `0` for no limit
-- `limit_hard` - hard limit for failed authentication attempts using credential (credential status `BLOCKED_PERMANENT` when limit is exceeded), use `0` for no limit
+- `limit_soft` - soft limit for failed authentication attempts using credential (credential status `BLOCKED_TEMPORARY` when limit is exceeded), use `null` value for no limit (e.g. for development purposes)
+- `limit_hard` - hard limit for failed authentication attempts using credential (credential status `BLOCKED_PERMANENT` when limit is exceeded), use `null` value for no limit (e.g. for development purposes)
 - `check_history_count` - count of historical credential values which should be checked when changing the credential, use `0` for skipping the check
 - `rotation_enabled` - whether credential rotation is enabled
 - `rotation_days`- number of days for credential rotation, only specify when credential rotation is enabled